The European Union Agency for Cybersecurity (ENISA) published an updated National Capabilities Assessment Framework - NCAF 2.0 - on April 22, 2026, providing EU Member States with a structured methodology to measure the maturity of their national cybersecurity strategies and identify where further investment is needed. The revised framework and accompanying online tool enable governments to gauge progress at both strategic and operational levels, pinpointing strengths, gaps, and priorities in the implementation of national cybersecurity strategies (NCSSs). The release comes as Member States navigate the first operational deadlines under the NIS2 Directive and face mounting pressure to demonstrate measurable cybersecurity progress to European institutions and international partners.
Background
For more than a decade, ENISA has supported EU Member States in developing and implementing national cybersecurity strategies aimed at building trust, resilience, and transparency. The original NCAF was first published by ENISA, and in 2022, the agency developed the NCAF Tool to help Member States assess the maturity of their NCSSs and strengthen cybersecurity capabilities at strategic and operational levels. The updated version was developed amid a significantly changed regulatory environment.
On 16 January 2023, Directive (EU) 2022/2555, known as NIS2, entered into force, replacing Directive (EU) 2016/1148. NIS2 establishes a unified legal framework to uphold cybersecurity across 18 critical sectors in the EU and requires Member States to define national cybersecurity strategies and collaborate on cross-border response and enforcement. In January 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU.
Details
The NCAF maturity model was revised to reflect significant changes in the EU cybersecurity landscape since 2020 while retaining the original methodological framework. Updates include new requirements for national cybersecurity strategies and peer reviews under NIS2, revised descriptions of the five maturity levels, and a reorganized clustering of ENISA's strategic objectives developed for the NCSS map.
NCAF 2.0 measures performance against a defined set of 20 strategic objectives, expanded from the original 17 in the previous version of the framework. ENISA identified 20 core strategic objectives, expanding on the original 17 and introducing additional thematic areas. The self-assessment framework defines maturity levels at multiple layers - objective level, cluster level, and overall (global) level. The revised framework also accounts for recent regulatory developments such as NIS2 - including Articles 7, 19, 21, and 23 - as well as the Cyber Resilience Act (CRA), helping Member States identify areas for improvement.
Assessment results remain confidential unless a Member State chooses to publish them voluntarily. The updated framework contributes to strengthening the EU's collective cybersecurity posture while allowing Member States to adapt the assessment to their national context and priorities. It also supports Member States in preparing for the voluntary peer review process outlined under Article 19 of NIS2.
Early pilot feedback illustrates divergent national experiences. ENISA noted that Greece praised the framework's alignment with NIS2 and its effectiveness in identifying strengths, gaps, and overlaps, as well as in supporting implementation planning and interinstitutional coordination - including in public bodies with limited resources. Italy found the framework valuable for informing the forthcoming policy cycle through better prioritization, clearer timelines, and the establishment of benchmarks, while also offering proposals to strengthen the methodology, simplify the framework, and ensure complementarity with the EU Cybersecurity Index.
NCAF 2.0 is structured around four thematic clusters representing key areas of cybersecurity capacity. The first - capacity building and awareness - assesses Member States' ability to raise awareness of cybersecurity risks and threats, strengthen cyber resilience and hygiene, develop cybersecurity capabilities continuously, and enhance knowledge and skills across the domain.
Outlook
The NCAF supports Member States in preparing for the NIS2 peer review process, particularly by helping define the scope and focus of assessments, and enables authorities to anticipate emerging challenges before they escalate. Beyond operational value, the framework enhances the credibility of NCSSs among the general public and international partners, promoting transparency and trust in participating organizations.
For manufacturing and critical infrastructure operators subject to NIS2, the maturity benchmarks established through NCAF 2.0 are likely to inform national supervisory expectations, investment prioritization, and the scope of forthcoming sector-specific resilience programs across energy, transport, health, and finance.
Also from ENISA: ENISA's Secure-by-Design Playbook Advances OT/IT Lifecycle Security
